useful *.bro files repository?

I was wondering if there is (or SHOULD BE) a repository of useful *.bro
policies to use for different cases. Right now I am running with '@load
mt' and some other @load's which I semi-intelligently selected from the
policies dir, but I noticed there is a bunch of other fun bro files. Which
of them are useful and when?

Well, it all depends on (1) your threat model, (2) how much load you can
afford. I welcome suggestions about ways to organize these (and/or others
that folks want to contribute) and experiences on which to use in what sorts
of contexts.

Also, I understand that rules.bro is undocumented, but can I get ANY hints
on its functionality beyond what I can figure from looking at the files

You should hold off on that a bit. Robin has written a chapter for the
Bro manual that describes the signature-matching, but the code is right
now still somewhat in flux. (Also note that rules.bro has been renamed
signatures.bro with the next Bro release.) This should be straightened
out within a few weeks, though, as we're now ramping up at LBL to run with
the signatures operationally.

BTW, I was also about to ask how to best collect and analyze alerts, but I
my have an answer to this one. Our product might soon collect Bro alerts
and report on them (in the context of other security event messages).

Experiences/approaches in this regard will likewise be interesting to hear!


Vern and all,

Well, it all depends on (1) your threat model, (2) how much load you can

I know :slight_smile: That is exactly why I asked. I was looking for ANY feedback on
what others were doing with bro and received NOTHING. So I assume people
are not really using it for any detection, but just as an educational tool
(which is fine!).

I continue to play with various polciies. Some combinations crash bro,
some produce config parsing errors, some cause it to die a slow death,

Here is what I use now:

@load mt
@load http
@load backdoor
@load ssh
@load stepping
@load software
@load smtp
@load dns
const interfaces += "eth1";

It works, doesn't detect much, some fun FTP attacks and weird RST packets
got flagged. I want more :slight_smile: but some of the others I tried crash it.